Communication apparatus and method for secure low power transmission

ABSTRACT

The present disclosure provides a communication apparatus comprising a cryptographic circuitry which, in operation, uses a shared cryptographic secret Key and a cryptographic salt to generate a cryptographically encoded Message Integrity Code (MIC) that is computed over the 0address field of a Wake Up Radio (WUR) frame; and a transmission signal generator which, in operation, generates a secure WUR signal by replacing the address field of the WUR frame with the MIC; and a transmitter which, in operation, transmits the secure WUR signal.

BACKGROUND Technical Field

The present disclosure is generally related to a communication apparatusand a communication method.

Description of the Related Art

The IEEE (Institute of Electrical and Electronics Engineers) 802.11baTaskgroup is currently in the process of standardizing wirelesscommunication technologies related to the operations of a wake-up radio(WUR) apparatus. The WUR apparatus is a companion radio apparatus to theprimary connectivity radio (PCR) apparatus and may operate in the samefrequency band as the PCR or may also operate in a different frequencyband. The PCR may be any of the existing mainstream IEEE 802.11amendments (802.11a, 802.11g, 802.11n or 802.11ac) or even otherapplicable future amendments (e.g., 802.11ax). The purpose of the WURapparatus is to trigger the transition of the PCR apparatus out of sleepupon reception of a valid wake-up packet (also known as WUR PHY ProtocolData Unit (PPDU)), while the PCR is used as the primary wirelesscommunication radio. The PCR apparatus is only turned on during activecommunication, while during period of idle listening, the PCR apparatusis turned off and only the WUR apparatus is operating. The WUR apparatusis expected to have active receiver power consumption less than onemilliwatt, which is much lesser compared to the active receiver powerconsumption of the PCR apparatus. Devices with a WUR apparatus may becalled WUR devices and WUR mode may refer to operation mode where onlythe WUR is in operation while the PCR is turned off, while PCR mode mayrefer to operations with the PCR apparatus turned on.

The IEEE 802.11ba amendment is targeted at applications andInternet-of-Things (IOT) use cases in which the communication devicesare usually powered by a battery and it is highly desirable to extendthe battery lifetime while maintaining reasonably low latency.

CITATION LIST Non Patent Literature

IEEE Std 802.11-2016

IEEE 802.11-17/0575r2, Specification Framework for TGba, July 2017

IEEE 802.11-16/0722r1, “Proposal for Wake-Up Receiver (WUR) Study Group”

IEEE 802.11-17/0660r0, “WUR Security Proposal”

Ching-Tsung Hsueh et. al., “A Secure Scheme Against Power ExhaustingAttacks in Hierarchical Wireless Sensor Networks”

Patent Literature

US2017/0099662A1—Pascal Thubert et. al., “Dynamically hashed MAC addressfor transmission in a network”

BRIEF SUMMARY

Since much of the power saving for WUR devices is expected to be aresult of the devices turning off the main PCR apparatus and staying inthe WUR mode for extended period of time, unnecessary switching to thePCR mode is detrimental to the device's battery life. Due to the lowdata rates available for communication in the WUR mode, the WUR signalis expected to be much simpler and shorter as compared to the PCRsignal. As a result, WUR signals are very easy to be captured andreproduced by malicious devices for ulterior motives. This makes WURdevices especially susceptible to replay attacks, whereby an attackercaptures genuine WUR signals used by a central controller to wake up WURdevices and uses them in the future to falsely wake up the WUR deviceswith the intent of causing battery drainage. Such attacks may also beknown as power exhausting attacks or denial of sleep attacks.

One non-limiting and exemplary embodiment of the present disclosureprovides means for transmission and reception of secure WUR signals andprevent the above mentioned malicious attacks on WUR devices.

In one general aspect, the techniques disclosed here features: acommunication apparatus comprising a cryptographic circuitry which, inoperation, uses a shared cryptographic secret Key and a cryptographicsalt to generate a cryptographically encoded Message Integrity Code(MIC) that is computed over the address field of a Wake Up Radio (WUR)frame; and a transmission signal generator which, in operation,generates a secure WUR signal by replacing the address field of the WURframe with the MIC; and a transmitter which, in operation, transmits thesecure WUR signal.

It should be noted that general or specific embodiments may beimplemented as a system, a method, an integrated circuit, a computerprogram, a storage medium, or any selective combination thereof.

The communication apparatus and communication method described in thepresent disclosure provides means for transmission and reception ofsecure WUR signals and prevent false wake ups as a result of maliciousattacks on WUR devices.

Additional benefits and advantages of the disclosed embodiments willbecome apparent from the specification and drawings. The benefits and/oradvantages may be individually obtained by the various embodiments andfeatures of the specification and drawings, which need not all beprovided in order to obtain one or more of such benefits and/oradvantages.

BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWINGS

FIG. 1 shows an example heterogeneous 802.11 wireless network with amixture of genuine and malicious WUR capable devices.

FIG. 2 shows the format of WUR PPDU being considered in the 802.11baTaskgroup.

FIG. 3 depicts a frame transmission sequence that illustrates an exampleof a malicious attack.

FIG. 4 depicts a frame transmission sequence used to negotiate/initiateWUR mode as per the first embodiment.

FIG. 5 shows the format of the WUR Action frame used for WUR modenegotiation/initiation as per the first embodiment.

FIG. 6 depicts the 4-way handshake used to obtain the secret keys to beused in secure transmissions.

FIG. 7 is a table of the encoding of the Cipher suite field in WURsecurity element as per the first embodiment.

FIG. 8 shows the frame format proposed for secure WUR frames as per thefirst embodiment.

FIG. 9A shows an alternative frame format proposed for secure WUR framesas per the first embodiment.

FIG. 9B shows the format of the WUR Action frame used for notifying thecryptographic salt value as per the first embodiment.

FIG. 10A shows the frame format proposed for secure WUR frames as perthe second embodiment.

FIG. 10B shows the format of the WUR Action frame used for notifying theMIC as per the second embodiment.

FIG. 11A depicts a first frame transmission sequence used in secure WURtransmissions as per the third embodiment.

FIG. 11B depicts a second frame transmission sequence used in secure WURtransmissions as per the third embodiment.

FIG. 12 depicts a frame transmission sequence used in secure WURtransmissions as per the fourth embodiment.

FIG. 13 shows the format of the WUR Action frame used for notifying acryptographic salt range as per the fifth embodiment.

FIG. 14 is a table of example MIC values as per the fifth embodiment.

FIG. 15 shows the frame format proposed for secure WUR frames as per thefifth embodiment.

FIG. 16 shows the frame format proposed for secure multicast WUR framesas per the fifth embodiment.

FIG. 17 shows the format of the Timing Synchronization Function (TSF)field as per the sixth embodiment.

FIG. 18 shows the frame format proposed for secure WUR frames as per thesixth embodiment.

FIG. 19 is a table of an example clock drift issue that may occur whenP-TSF is used for time synchronization.

FIG. 20 shows the intermediate process of creating the TSF field forinput to the WUR authentication module as per the sixth embodiment.

FIG. 21 shows an example process to create secure WUR frames at thetransmitter side as per the sixth embodiment.

FIG. 22 shows an example process to verify secure WUR frames at thereceiver side as per the sixth embodiment.

FIG. 23 shows a frame format proposed for secure multicast WUR frames asper the sixth embodiment.

FIG. 24 shows an alternate frame format proposed for secure multicastWUR frames as per the sixth embodiment.

FIG. 25 shows the frame format proposed for unsecure WUR frames as perthe sixth embodiment.

FIG. 26 shows the format of the Packet Number (PN) field as per theseventh embodiment.

FIG. 27 shows a frame format proposed for secure WUR frames as per theseventh embodiment. FIG. 28 shows a frame format proposed for updatingthe PN field as per the seventh embodiment.

FIG. 29 shows a frame format proposed for secure WUR frames as per theeight embodiment.

FIG. 30 is a simplified block diagram of an example AP that implementsthe disclosed transmission scheme.

FIG. 31 is a detailed block diagram of an example AP that implements thedisclosed transmission scheme.

FIG. 32 is a simplified block diagram of an example WUR STA thatimplements the disclosed transmission scheme.

FIG. 33 is a detailed block diagram of an example WUR STA thatimplements the disclosed transmission scheme.

DETAILED DESCRIPTION

The present disclosure can be better understood with the aid offollowing figures and embodiments. The embodiments described here aremerely exemplary in nature and are used to describe some of the possibleapplications and uses of the present disclosure and should not be takenas limiting the present disclosure with regard to alternativeembodiments that are not explicitly described herein.

FIG. 1 shows an example of a wireless communication network 100 in whichthe present disclosure may be applied. The wireless communication may bebased on popular wireless standards such as IEEE 802.11. The wirelesscommunication network 100 may comprise an Access Point (AP) 110 andthree stations (STA) 120, 130 and 140 associated with the AP 110. The AP110 is equipped with a Primary Connectivity Radio (PCR) apparatus(hereinafter stated simply as “PCR”) 112 which is capable oftransmitting and receiving wireless signals in the 802.11 waveform(e.g., Orthogonal Frequency Division Multiplexing (OFDM)) as well asbeing capable of transmitting wireless signals in the Wake-up radio(WUR) waveform (e.g., On-Off Keying (OOK)). STAs 120, 130 and 140 areWUR capable STAs and are equipped with PCRs 122, 132 and 142respectively as well as Wake-up radio receivers (WURx) apparatus(hereinafter stated simply as “WURx”) 124, 134 and 144 respectively.STAs 130 and 140 are capable of transmitting and receiving 802.11signals and are also capable of receiving WUR signals. The PCRs 132 and142 may only be turned on during active communication (PCR mode), whileduring period of idle listening, the PCRs may be turned off and only theWURx 134 and 144 may be operating (WUR mode). STA 120 however may be acustom made device that has all the functionalities of a WUR capable STAand in addition its PCR 122 also has the ability to transmit wirelesssignals in the Wake-up radio (WUR) waveform (OOK). Or STA 120 may simplybe a device that possesses both the WUR AP functionalities as well asthe WUR STA functionalities. When the AP 110 needs to communicate withSTAs operating in WUR mode, it may first transmit wake-up signal toinstruct the STAs to transit to PCR mode by turning on the respectivePCRs and switching off the WURx. Subsequently the AP and the STAs mayperform communication over the PCR. Once the 0communication is over, theSTAs may switch back to WUR mode by switching off the PCR and turning onthe WURx.

FIG. 2 shows the wake-up signal transmission scheme being considered inthe IEEE 802.11ba Taskgroup. The wake-up signal may be represented asthe WUR PHY Protocol Data Unit (PPDU) 200. The WUR PPDU 200 is composedof two distinct portions. The first portion is comprised of a 20 MHzlegacy (also known as non-high-throughput (HT)) 802.11 preamble 210 andone extra OFDM symbol 218 called WUR Mark, which are transmitted in the802.11 OFDM waveform over the entire 20 MHz channel. The second portionis the wake-up packet (WUP) payload 220 which is transmitted in a WUROOK waveform in a narrower sub-channel within the 20 MHz channel, forexample a 4 MHz sub-channel. Although only a single WUP Payload 220 isshown in FIG. 2 , it is also possible that more than one, for examplethree WUP Payloads, are transmitted on different, non-overlappingsub-channels within the 20 MHz channel.

The legacy 802.11 preamble 210 provides coexistence with legacy 802.11STAs that do not understand the WUR signals. Preamble 210 furthercomprises a non-HT Short Training Field (L-STF) 212, a non-HT LongTraining Field (L-LTF) 214 and a non-HT SIGNAL field (L-SIG) 216. TheL-SIG 216 carries information regarding the length of the WUP payload220, allowing legacy 802.11 devices to defer their transmissions for thecorrect duration. The WUR Mark 218 of duration 4 micro-seconds modulatedin Binary Phase Shift Keying (BPSK) is transmitted right after the L-SIG216 to prevent 802.11n devices from wrongly decoding the WUR PPDU 200 asbeing an 802.11n packet.

The WUP Payload 220 carries the actual wake-up signal and comprises awake-up preamble 222 and a WUR frame 230. The wake-up preamble 222 isused for automatic gain control (AGC), timing synchronization, packetdetection, etc., while the WUR frame 230 carries the controlinformation. The WUR frame 230 may also be known as a WUR MAC ProtocolData Unit (MPDU) and may be further composed of various sub-fields suchas a MAC header 240, a Frame check sequence (FCS) 252 as well as theoptional Frame body 250. The MAC header 240 may be further comprised ofa Frame control field 242 that species the frame Type, frame length,etc., an Address field 244 that may carry either one of the TransmitterAddress, Receiver address or both. Other control information may becarried in the TD Control field 246 depending on the frame Type. Forexample in WUR beacon frames, the TD Control field 246 may carry atimestamp field, while in unicast WUR frames, the TD Control field 246may carry a packet number, etc.

FIG. 3 depicts a frame transmission sequence 300 that illustrates anexample replay attack launched by an attacker in the wireless network100 in FIG. 1 . The attacker may be the STA 120 in FIG. 1 , while the APand the STA may be the AP 110 and STA 130 in FIG. 1 respectively. STA130 may have undergone WUR mode negotiation with AP 110 and may beoperating in WUR mode with only its WURx 134 in operation while its PCR132 is turned off. The attacker STA 120 on the other hand has both itsWURx 124 as well as PCR 122 turned on and may be monitoring the trafficbetween AP 110 and STA 130. When the AP 110 gets data from the upperlayer protocol destined for STA 130, it saves the data frame in bufferand transmits a WUR PPDU 310 to wake STA 130. Upon receiving the WURPPDU 310, STA 130 verifies that the PPDU is addressed to it and proceedsto turn on its PCR 132 and transmit a PS-Poll frame 312 to the AP 110.In the meanwhile, the WURx 124 of attacker 120 also receives the WURPPDU 310 and saves it in memory for future use. The AP 110 responds tothe PS-Poll frame 312 by transmitting the buffered data frame 314 to STA130. STA 130 confirms the receipt of the data frame 314 by sending theacknowledgement (ACK) frame 316 to the AP 110 and may proceed to WURmode by turning off its PCR radio 132. At a later point in time, theattacker STA 120 may use the captured WUR PPDU 310 to launch a replayattack on STA 130 by retransmitting the WUR PPDU 310 to it, causing itto transition to PCR mode. Since the WUR PPDU 320 is a replay of a validWUR PPDU transmitted by AP 110 in the past, it appears to be a valid WURPPDU to STA 130 and it may proceed to transmit another PS-Poll frame 322and may wait for AP 110 to send data frame to it. Eventually, when STA130 does not receive any frames from the AP, it may time out of the PCRmode and goes back to WUR mode, however it would already have lost somepower unnecessarily transitioning to PCR mode. If no measures areimplemented to mitigate such attacks, the attacker STA 120 may repeatthe replay attack until STA 130 completely runs out of battery.

Several exemplary embodiments are described in detail in later sectionsto describe the disclosure in detail. The various embodiments formitigating malicious false wake up attacks as per the present disclosureare described in detail in the following sections.

First Embodiment

FIG. 4 depicts the frame exchange sequence 400 used by a WUR STA tonegotiate the parameters used during WUR mode with its AP. The frameexchange 400 needs to be completed before a WUR STA enters the WUR modefor the first time. It may also be used subsequently to changeparameters related to WUR mode and also to enter or exit the WUR mode.WUR Action frame 500 in FIG. 5 may be used for the WUR modenegotiations. A WUR STA initiates the WUR mode negotiation bytransmitting a WUR Mode Request frame 410, which may be a variant of theWUR Action frame 500 with the WUR Mode Request/Response field 512 in theWUR Mode element 510 set to WUR Mode Request. Alternatively, the WURMode Request indication may also be carried within the WUR Action field502. In either case, a WUR Mode Request frame refers to a WUR Actionframe that carries an indication for WUR Mode request. Although notshown in FIG. 5 , the WUR mode element may also carry other parametersrelated to WUR mode operation such as duty cycle parameters, etc. As perthe first embodiment, the WUR mode element also contains a Securityfield 514 that may be set to 1 by a WUR STA to request the AP to enablesecure transmission mode for future transmissions of WUR PPDUs. SecureWUR transmission may be requested by WUR STAs right from the beginningor it may only be requested when a WUR STA detects that it is underattack. Although it may not be possible for a WUR STA to detect anattack just from one or two false wake ups, if the STA keeps gettingwoken up without receiving any follow up downlink frames from the AP formore than a certain threshold value, for example 5 times, the STA mayconsider itself under attack and request for security to be enabled.Upon receiving the WUR Mode request frame 410, the AP responds with theWUR mode response frame 420, which is another variant of the WUR Actionframe 500 in FIG. 5 with the WUR Mode Request/Response field 512 in theWUR Mode element 510 set to WUR Mode Response. Alternatively, the WURmode response indication may also be carried within the WUR Action field502. In either case, a WUR Mode Response frame refers to a WUR Actionframe that carries an indication for WUR Mode response. Aside from theparameters necessary for the WUR STA's WUR mode operation, if the WURSTA had requested security to be enabled for WUR transmissions, the APalso includes the WUR Security element 520 in FIG. 5 in the WUR moderesponse frame 420 carrying the parameters required for secure WURcommunication. Once the security parameters have been notified, the APwill use the secure WUR PPDU 430 when it needs to wake the WUR STA.

The WUR security element 520 in FIG. 5 carries the WUR SecurityParameters 530 that contains the information regarding the secret keysto be used by a WUR STA to receive secure WUR PPDUs. Since a WUR STA isalso an IEEE 802.11 device, it makes sense that the STA reuses theexisting 802.11 security framework as much as possible. Robust securitynetwork association (RSNA) is the default security protocol used by IEEE802.11 devices. Although within RSNA there are several securityalgorithms such as counter mode with cipher-block chaining messageauthentication code protocol (CCMP), Galois/counter mode (GCM) protocol(GCMP), broadcast/multicast integrity protocol (BIP), etc., as well asseveral hash algorithms, the secret Keys that these algorithms use maybe broadly classified as either Pairwise Key or Group Key. Pairwise Keysare used for unicast communication between a pair of devices, whileGroup Keys are used for broadcast or multicast communication. ThePairwise Cipher Suite field 540 indicates the Cipher suite to be usedfor unicast WUR PPDUs and is identified by the organizationally uniqueidentifier (OUI) field 542 and the Suite Type field 544. The pairwiseKey ID field 545 indicates the identifier of the Pairwise Key to be usedfor WUR PPDUs if more than one Pairwise Key has been negotiated betweenthe AP and the WUR STA. The Group Key count 548 indicates the number ofGroup Keys included in the element. If the same Group Key is to be usedfor all WUR broadcast and multicast PPDUs, only one Group Key isrequired, however if the AP decides to use different Group Keys forbroadcast and multicast WUR PPDUs, two or more Group Keys may beincluded in the element. The Group Key Data field 550, is variable inlength, and includes the information regarding the Group Keys. For eachincluded Group Key, the Group Cipher Suite field 550 indicates theCipher suite to be used for broadcast or multicast WUR PPDUs and isidentified by the organizationally unique identifier (OUI) field 552 andthe Suite Type field 554. The Group Key Info field 560 identifies aGroup Key as well as its use. The Key ID field 562 indicates theidentifier of the Group key to be used for WUR PPDUs if more than oneKey has been negotiated between the AP and the WUR STA; the GTK/IGTKfield 564 indicates whether the Group Key is Group Temporal Key (GTK) orIntegrity Group Temporal Key (IGTK) and the B'cast/M'cast field 566indicates whether the Group Key is to be used or broadcast or multicastWUR PPDUs. The Group ID field 568 may be used to specify a particularmulticast group with which the Group Key is associated and this field isset only if the B'cast/M'cast field 566 is set as multicast. The Key Lenfield 570 indicates the length of the Wrapped Key field 580 and may beset to 0 if the Wrapped Key field 580 is not included in the element.When the Key ID field indicates that the Group Key to be used for WURPPDUs is the same as that negotiated for use in PCR, the Wrapped Keyfield 580 is omitted, else the Wrapped Key field 580 contains theencrypted GTK or IGTK Key to be used for WUR PPDUs.

FIG. 6 depicts the WUR mode negotiation process 600 in which the AP andWUR STA negotiates separate secret Keys to be used exclusively for WURPPDUs. Even though it would be possible to reuse the same secret Keysfor WUR PPDUs as the ones used for PCR communications, if the WUR STAhas the capability, the AP may also initiate a separate 4 way handshakeprocess 620 with the WUR STA to obtain the PTK and GTK/IGTK to be usedexclusively for WUR PPDUs. Since the PCR mode of operation and the WURmode of operation are very distinct from each other and a STA may onlyoperate in either one mode at a time, generating separate secret keys tobe used exclusively for WUR PPDUs may be beneficial as the securityrisks are isolated to each mode of operation and the risk of acryptographic salt being repeated for a secret key is minimized. Inaddition, renegotiation of the Group Keys used for PCR need not affectthe Group Keys used for WUR PPDUs. Upon receiving the WUR Mode Requestframe 410 from a STA requesting security to be enabled for WUR PPDUs ina WUR Mode Request procedure 610, the AP may choose to initiate the 4way handshake 620 to derive separate secrets Keys used to encode/decodeWUR PPDUs. The 4 way handshake 620, shown within the dotted box, is thesame as used in RSNA when a STA associates with the AP to negotiate thePairwise Transient Key (PTK) and Group Keys (GTK and IGTK) to be usedfor secure sessions except that the secret Keys are meant to be usedexclusively for WUR PPDUs and hence the secret Keys may be referred toas W-PTK, W-GTK and W-IGTK to differentiate them from the secret Keysused during PCR communications. The AP concludes the WUR modenegotiation by transmitting the WUR Mode Response frame 420 whichcarries the rest of the parameters necessary for the WUR STA to enterWUR mode in a WUR Mode Response procedure 630. In this case the WUR ModeResponse frame 420 does not include the Wrapped Key field 580 shown inFIG. 5 . However the AP may choose to transmit unsolicited WUR ModeResponse frame 500 in FIG. 5 that includes the Wrapped Key field 580 tothe WUR STA at a future time to update the Group Keys in the event thatthe Group Keys may have changed while the WUR STA was in WUR mode.

FIG. 7 is the table 700 of the OUI and Suite Type encoding used in theWUR Security element and is used to identify the security algorithm usedfor secure WUR PPDUs. The AP may choose the appropriate algorithm to usebased on factors such as STA's capabilities. For example, for veryresource limited WUR STAs, AP may choose simple hash functions such asSHA1-128 or SHA-256, while for WUR STAs with higher processing power,the AP may choose the CCMP-128 Cipher suite. If the AP indicates “Usegroup cipher suite” for pairwise cipher suite, PTK is not used for WURPPDUs and only Group Keys are used. Although the use of pairwise ciphersuite is recommended for unicast WUR PPDUs, under certain circumstancethe AP may also decide to use Group cipher suite for all WUR PPDUs.

FIG. 8 illustrates a secure WUR frame 800 that carries acryptographically encoded MIC field 816 which helps the intendedreceiver WUR STA to categorically authenticate the transmitter of theframe. In order to differentiate secure WUR frames from unsecure WURframes, the AP sets the Security bit 814 within the Frame Control field812 to 1. The Security bit 814 alerts the receiving WUR STA of thepresence of the MIC field 816 within the WUR frame. As mentionedearlier, due to the comparatively simple signals used for transmissionsof WUR PPDUs, it is not very difficult for an attacker to replay anearlier WUR PPDU, or even generate a forged WUR frame with the maliciousintention of causing a WUR STA to waste battery power by forcing the STAto wake up unnecessarily. Such attempts may be thwarted if the WUR framecontains some field that can only be generated by a trusted transmitterusing a shared secret Key and which can be verified by the intended WURSTA using the same secret Key. Such fields are generally known asMessage Authentication Codes (MAC) or Message Integrity Codes (MIC). TheAP may use popular cryptographic hash functions that are also commonlyused in IEEE 802.11 devices such as SHA-1-128, SHA-256, SHA-384 or MD5,etc., to generate the MIC field 816, or the AP may also choose togenerate the MIC field 816 using block cipher algorithm such as CipherBlock Chaining Message Authentication Codes (CBC-MAC) which in turn maybe based on Advanced Encryption Standard (AES) such as AES-128-CMAC orAES-256-CMAC. The AP's choice of the cryptographic algorithm to use togenerate the MIC field 816 may be based on factors such as STA'scapabilities, for example for very resource limited WUR STAs, AP maychoose simple hash functions such as SHA1-128 or SHA-256, while for WURSTAs with higher processing power, the AP may choose the CCMP-128 whichis based on AES. A key assumption in using MAC or MIC to providesecurity is the fact that an attacker that does not possess the secretKey is not able to generate the same MIC or it is too computationallyexpensive to reverse engineer the secret key based on the MIC. However,it is still possible for an attacker to sniff a genuine secure WUR PPDUand use it at a future time to launch a replay attack. To prevent suchreplay attacks, the transmitter must ensure that each MIC computationuses a unique input (or a random number) that is different for eachsecure WUR PPDU for a particular secret Key. Such unique inputs aregenerally known as “salt” or “nonce.”

Several types of WUR frames are being considered in the IEEE 802.11baTaskgroup and even though the format of the frames may be similar, asshown in the generic WUR frame 230 in FIG. 2 , the content of the framefields may differ slightly depending on frame type. WUR frames that areaddressed to a single WUR STA may be known as unicast WUR frame, WURframes that are addressed to a group of WUR STAs may be known asmulticast WUR frames while WUR frames that are addressed to all the WURSTAs associated with an AP may be known as broadcast WUR frames. Aunicast WUR frame may contain both the Receiver Address (RA) as well asTransmitter Address (TA) within the Address field 244, and the TDcontrol field 246 may contain a timestamp field or a packet number,while the Frame body 250 field may be absent. Similarly a broadcast WURframe such as WUR Beacon, that is purely used for time synchronization(i.e., not used to wake WUR STAs) may only contain a Transmitter Address(TA) within the Address field 244, and the TD control field 246 maycontain a timestamp field use for time synchronization and the Framebody 250 may be absent. A multicast WUR frame on the other hand maycontain the Transmitter Address in the Address field 244, a timestamp orpacket number in the TD control field, while the Frame body field 250may contain a list of the WUR STAs that are targeted for waking by themulticast frame.

Referring again to FIG. 8 , if a WUR frame contains a unique number thatis different for each WUR frame, for example a Partial-TSF (P-TSF) field818, this may be used as a salt for the cryptographic function. TheP-TSF field may represent some selected bits of the Time SynchronizationFunction (TSF) maintained by the AP. If the WUR frame is a unicastframe, the AP uses its secret Key, for example the Temporal Key (TK)portion of the pairwise secret Key PTK or W-PTK, the Transmitter Address(TA) and the Receiver Address (RA), as well as the P-TSF field as inputto the cryptographic algorithm to obtain a MIC. Usually, the output of astandard cryptographic function may be too long to directly use in WURPPDUs and may need to be truncated to fit the limited size of the WURframes. For example, if the AP uses SHA-256 to generate the MIC, thecryptographic process at the AP may be summarized as:

MIC=Truncate-L(SHA-256(TK∥TA∥RA∥P-TSF))

TK=Temporal Key (TK) portion of the pairwise secret Key PTK or W-PTK andits length depends on the Cipher suite selected during the 4 wayhandshake, for example 128 bits for CCMP-128, etc.TA=Transmitter Address (MAC address of the AP=the Basic Service SetIdentifier (BSSID) of the BSS)RA=Receiver Address or the WUR ID (WID) assigned to the destination STA(e.g., AID12 of the recipient WUR STA)Truncate-L=function to truncate the output of the SHA-256 function (128bits) to L bits.L=number of bits of the Address field 244x∥y=concatenation of x and y

Alternatively, if the AP used the AES-128-CMAC to generate the MIC, theTK, TA, RA and P-TSF are fed into the AES engine as inputs which willreturn a 128 bit number as the MIC which is then truncated to L bits.

Finally, the AP replaces the Address field 244 in FIG. 2 with the MICfield 816, sets the security bit 814 to 1 and computes the FCS 830 overthe entire WUR frame 800 and transmits the secure WUR PPDU carrying theWUR frame 800.

As for a receiving WUR STA that receives the WUR frame 800, it firstverifies that the frame is error free by checking the FCS field 830. TheSecurity bit 814 alerts the STA that the WUR frame 800 is a secure frameand its Address field is replaced by the MIC field 816 while the FrameType field 813 indicates that the frame is a unicast WUR frame. The STAuses its secret Key, for example the Temporal Key (TK′) portion of thepairwise secret Key PTK or W-PTK, the BSSID of its BSS as theTransmitter Address (TA′) and the WUR ID (WID) assigned to the STA(e.g., STA's AID12) as the Receiver Address (RA′), as well as the P-TSFfield 818 as input to the cryptographic algorithm to obtain a MIC. Forexample, if the AP had indicated in the WUR mode response frame thatSHA-256 is to be used as the Cipher suite to use for pairwisecommunication, the cryptographic process at the STA may be summarizedas:

MIC′=Truncate-L(SHA-256(TK′∥TA′∥RA′∥P-TSF))

Since both the TA and RA were used as input to the MIC calculation, ifthe computed MIC′ matches the MIC field 816, the WUR STA implicitlyidentifies itself as being the receiver of the WUR frame and alsoconcludes that the frame is an authentic frame transmitted by its AP. Inorder to further protect itself from replay attacks, the WUR STA mayperform additional checks based on the P-TSF field, for example, the STAmay check that the P-TSF value is greater than that of WUR framesreceived in the past and also that the difference between the P-TSFvalue in the received WUR frame and the locally maintained P-TSF iswithin a certain acceptable value from its local P-TSF value, forexample less than the maximum expected clock drift. If the P-TSF checkfails, the WUR STA discards the frame, otherwise the STA proceeds totake the expected action based on the content of the WUR frame, forexample waking up its PCR if the WUR frame 800 is a unicast WUR frame.In order to prevent the case where the number of bits allocated to theP-TSF field is low and the P-TSF value may roll over after hitting themaximum and thereby causing genuine WUR frames being falsely classifiedas replayed WUR frames, the AP has to ensure that the secret key ischanged every time the P-TSF value rolls over. As for third party WURSTAs, if any of the inputs to the cryptographic function, for examplethe secret Key or the RA is different, the MIC′ computation will notmatch the MIC field carried in the WUR frame and the WUR STA can safelydiscard such frames.

The example above assumed the presence of both the TA and RA in theAddress field 244 of the WUR frames. However, if the WUR frame to besecured only carries the TA, for example WUR Beacon frames, the MIC iscalculated using the Temporal Key (TK) portion of the Group Key GTK orW-GTK, the BSSID of its BSS as the Transmitter Address (TA) as well asthe P-TSF field as input to the cryptographic algorithm.

MIC=Truncate-L(SHA-256(TK∥TA∥P-TSF))

Any WUR STA that possesses the same Group Key would be able to verifythe MIC and will be able to correctly receive the broadcast WUR Beaconand synchronize its local P-TSF based on the P-TSF field of the receivedframe.

Referring to FIG. 9A, a WUR frame 900 is shown that does not carry aunique number that may be used as salt for the cryptographiccomputation. Even if such frames included a MIC field, the receiverwould still be vulnerable to replay attack if the cryptographiccomputation did not include any unique salt value known to both thetransmitter and the recipient. Without a salt value, the cryptographiccomputation will output the same MIC for a given WUR frame if thecontent of the frame remains the same. In order to overcome suchsituation, during the WUR mode negotiation, for each WUR STA thatnegotiates secure WUR mode with an AP, the AP may provide a base randomnumber to use as the base number to generate the cryptographic salt forWUR frame types that do not carry a unique number that may be used assalt for the cryptographic computation. The WUR Action frame 950 in FIG.9B may be used for the purpose by the AP. In this variant of the WURAction frame, the indication of whether the Action frame is a requestframe from WUR STAs or a response frame from the AP may be carriedwithin the WUR Action field. When the WUR Action frame is used to carrythe cryptographic salt, the WUR Action field is set as WUR Moderesponse. Although not shown, the WUR Security element 520 may also bepresent. In addition, the AP also includes the Crypto Salt element 960to provide the base number to use for the cryptographic salt. Since itis possible that more than one WUR frame types may require separatecryptographic salts, the AP may include one or more Crypto SaltParameters field 962 within the Crypto Salt element 960. Each CryptoSalt Parameters field 962 is comprised of a Frame Type field 964 thatspecifies the WUR frame type to which this cryptographic salt is to beapplied and the Crypto Salt Base field 966 that specifies the startingnumber to use as the salt for the indicated WUR frame type. The encodingof the WUR Frame Type field 964 is the same as the Frame Type field 813in FIG. 8 . For unicast or multicast WUR frame types that require suchcryptographic salt, the AP maintains one unique number per frame typeper WUR STA or per multicast Group that has negotiated secure WURtransmission. Each WUR STA that has negotiated secure WUR transmissionalso maintains one unique number per frame type for unicast as well asone unique number per frame type for each multicast group that itbelongs to. By default, the Crypto Salt Base may be set to zero duringinitialization or the AP may also choose a different random value as thestarting number. After each successful transmission of a secure WURframe, the AP increments the value of the cryptographic salt associatedwith that WUR frame by one. Similarly, a WUR STA that successfullyreceives such secure WUR frame also increments the value of thecryptographic salt associated with that WUR frame by one. If r_STArepresents the current value of the cryptographic salt maintained by theAP for a particular frame type for a WUR STA, the AP uses its secretKey, for example the Temporal Key (TK) portion of the pairwise secretKey PTK or W-PTK, the BSSID and the Receiver Address (RA), as well asthe r_STA as input to the cryptographic algorithm to obtain a MIC. Forexample, if the AP uses SHA-384 to generate the MIC, the cryptographicprocess at the AP may be summarized as:

MIC=Truncate-L(SHA-384(TK∥BSSID∥RA∥r_STA))

L=number of bits of the Address field 244 less the number of bits of theRA field 914

The AP replaces the TA portion of the Address field 244 in FIG. 2 withthe MIC field 916, sets the security bit in the Frame Control 912 to 1and computes the FCS 930 over the entire WUR frame 900 and transmits thesecure WUR frame 900.

At a receiving WUR STA, it first compares the RA field 914 with its ownWUR ID and if there is a match, it proceeds to compare the MIC field916. If r_STA′ represents the current value of the cryptographic saltmaintained by the STA for the particular frame type, it uses its secretKey, for example the Temporal Key (TK′) portion of the pairwise secretKey PTK or W-PTK, the BSSID of its BSS and the WUR ID (WID) assigned tothe STA (e.g., STA's AID12) as the Receiver Address (RA′), as well asr_STA′ as input to the cryptographic algorithm to obtain a MIC′. Forexample, if the AP had indicated in the WUR Mode Response frame thatSHA-384 is to be used as the Cipher suite to use for pairwisecommunication, the cryptographic process at the STA may be summarizedas:

MIC′=Truncate-L(SHA-384(TK′∥BSSID′∥RA′∥r_STA′))

If the computed MIC′ matches the MIC field 916, the WUR STA implicitlyidentifies itself as being the receiver of the WUR frame and alsoconcludes that the frame is an authentic frame transmitted by its AP. Atthe same time, the STA increments the cryptographic salt maintained bythe STA for the particular frame type by one and proceeds to wake itsPCR. Upon receiving a response frame from the WUR STA, the AP alsoincrements the cryptographic salt maintained by the AP for theparticular frame type for the WUR STA by one. In this case, since thecryptographic salt value is always incremented by both the AT and STAfollowing each successful WUR transmission, any replayed WUR PPDU willfail to pass the MIC check and hence the replay attack is thwarted.

In order to recover from the case where the AP and STA may losesynchronization and have different values of the cryptographic salt, fewoptions could be employed:

1. AP can save the past one or more values of r_STA. In the event thatthe STA does not wake up for repeated transmission of WUR frame using aparticular value of r_STA, AP can re-use the saved value of past r_STAto generate the MIC to be transmitted in the WUR frame.

2. In addition to the Crypto Salt Base, AP provides another uniquerandom number e_STA to each WUR STA for emergency/backup use. STA savese_STA to memory. The AP uses the e_STA as the cryptographic salt togenerate the MIC in case the STA does not respond to repeated WUR framescarrying the MIC based on r_STA. Upon receiving a WUR frame, STAcompares the MIC in the WUR frame with the MIC generated using bothr_STA and e_STA. If either value matches, the WUR frame is consideredauthentic. Once a particular e_STA has been used, a new e_STA isnegotiated between AP and the STA.

As a slight variation, the MIC′ value may also be pre-computed by theWUR STA using the latest value of the cryptographic salt while the STAis in the PCR mode and saved to a common memory accessible to both PCRand WUR. When the STA receives a secure WUR frame, it simply comparesthe MIC field in the received frame with the saved MIC′ in the memory todetermine the authenticity of the received WUR frame. This option may bepreferable when a more computationally intensive cipher suite isselected by the AP since a WUR STA may have access to a more powerfulCPU during the PCR mode as compared to the WUR mode, thereby leading tosome power savings.

As mentioned earlier, due to the relatively low data rates expected tobe available for transmissions of WUR PPDU, it is beneficial to keep thelength of the WUR frame as short as possible. Replacing either the TAfield or both the TA and RA fields with the MIC has an added advantageof minimizing the increase in the length of the secure WUR frames. Inaddition, since the length of the input fields for the cryptographiccomputation is not a big concern, instead of using the abbreviatedaddress fields such as 12 bits of AID12 for RA, or 12 bits of BSS color(network identifier) as TA, the 48 bits long full MAC addresses may beused as RA and TA for the MIC computation. This further reduces thechances of unintended false positives for the MIC, for example due to aneighboring OBSS using the same BSS color. As an example, assuming theaddress field 244 in FIG. 2 is 16 bits long, if the addressed field isreplaced by the MIC field 816 as shown in FIG. 8 , the length of thesecure WUR frame remains the same as unsecure WUR frame.

Second Embodiment

Referring to FIG. 10A, an alternate solution is presented for WUR framesthat do not carry a unique number that may be used as salt for thecryptographic computation. During the WUR mode negotiation, for each WURSTA that negotiates secure WUR mode with an AP, for each unicast ormulticast WUR frame types that require such cryptographic salt, the APmaintains one unique number per frame type per WUR STA or per multicastGroup as a base number to generate the cryptographic salt for the frametype. By default, the base number may be set to zero duringinitialization or the AP may also choose a different random value as thestarting number. Using the current value of the base number as thecryptographic salt, the AP computes a MIC for each WUR STA before theSTA goes to WUR mode and transmit the MIC to the WUR STA using PCR. Ifr_STA represents the current value of the base number maintained by theAP for a particular frame type for a WUR STA, the AP uses its secretKey, for example the Temporal Key (TK) portion of the pairwise secretKey PTK or W-PTK, the BSSID and the Receiver Address (RA), as well asthe r_STA as input to the cryptographic algorithm to obtain a MIC. Forexample, if the AP uses HMAC-MD5 to generate the MIC, the cryptographicprocess at the AP may be summarized as:

MIC=HMAC-MD5(TK∥BSSID∥RA∥r_STA)

The WUR Action frame 1050 in FIG. 10B with the mode indication set toWUR Mode Response may be used by the AP to transmit the MIC to a WURSTA. The AP may include one or more MIC Parameters field 1062 within theMIC element 1060. Each MIC Parameters field 1062 is comprised of a FrameType field 1064 that specifies the frame type to which this MIC is to beapplied and the MIC field 1066 that carries the MIC to be used to verifythe indicated WUR frame type. The length of the MIC field 1066 dependson the Cipher suite used to compute the MIC. The encoding of the WURFrame Type field 1064 is the same as the Frame Type field 813 in FIG. 8. Each WUR STA that has negotiated secure WUR transmission receives andsaves one unique MIC per frame type for unicast as well as one uniqueMIC per frame type for each multicast group that it belongs to.Subsequently when the AP needs to transmit a secure WUR frame thatrequire a separate cryptographic salt to a WUR STA that is in WUR mode,it transmits the WUR frame 1000 that replaces the Address field 244 inFIG. 2 with r_STA 1014, the current value of the base number maintainedfor the WUR STA. The number of bits used for the base number is as suchlimited by the number of bits allocated for the Address field 244 inFIG. 2 .

At a receiving WUR STA, it uses its secret Key, for example the TemporalKey (TK′) portion of the pairwise secret Key PTK or W-PTK, the BSSID ofits BSS and the WUR ID (WID) assigned STA (e.g., STA's AID12) as theReceiver Address (RA′), as well as the r_STA received in the WUR frame1000 as input to the cryptographic algorithm to obtain a MIC′. Forexample, if the AP had indicated during the initial WUR mode negotiationthat HMAC-MD5 is to be used as the Cipher suite to use for pairwisecommunication, the cryptographic process at the STA may be summarizedas:

MIC′=HMAC-MD5(TK′∥BSSID′∥RA′∥r_STA))

If the computed MIC′ matches the saved MIC for the frame type, the WURSTA implicitly identifies itself as being the receiver of the WUR frameand also concludes that the frame is an authentic frame transmitted byits AP. After each successful transmission of a secure WUR frame, the APincrements the value of the base number associated with that WUR frameby one, re-computes the MIC using the base number and provides the MICto the WUR STA during a PCR session before the STA goes back to WURmode. One advantage of using this method is that there is no need totruncate the MIC and the full length MIC is used to verify theauthenticity of WUR frames, however there is an extra transmission ofthe MIC during each PCR session. This method may be suitable when theWUR frames are transmitted infrequently but a higher level of securityis expected.

Third Embodiment

Referring to FIG. 11A, yet another alternate solution is presented forWUR frames that do not carry a unique number that may be used as saltfor the cryptographic computation. Instead of explicitly providing arandom number to use as a cryptographic salt, the WUR STAs may alsoimplicitly receive the number to use as cryptographic salt from theframes exchanged during the PCR session. For unicast WUR frames, theSequence Number carried within the Sequence Control field of the MACheader of the most recent unicast Data frame or unicast Management framefrom the AP that was successfully received by the WUR STA may be used asthe cryptographic salt. For example, if SN represents the current valueof the Sequence Number of the most recently transmitted Data frame 1110,the AP uses its secret Key, for example the Temporal Key (TK) portion ofthe pairwise secret Key PTK or W-PTK, the BSSID and the Receiver Address(RA), as well as the SN as input to the cryptographic algorithm toobtain a MIC. For example, if the AP uses SHA-256 to generate the MIC,the cryptographic process at the AP may be summarized as:

MIC=Truncate-L(SHA-256(TK∥BSSID∥RA∥SN))

L=number of bits of the Address field 244

The AP replaces the Address field of the unicast WUR PPDU 1120 with thegenerated MIC, sets the security bit to 1 and computes the FCS over theentire WUR frame carried within the WUR PPDU and transmits the secureunicast WUR PPDU 1120.

At a receiving WUR STA, it uses its secret Key, for example the TemporalKey (TK′) portion of the pairwise secret Key PTK or W-PTK, the BSSID ofits BSS and the WUR ID (WID) assigned to the STA (e.g., STA's AID12) asthe Receiver Address (RA′), as well as the sequence number SN′ of themost recently received Data frame 1110 as input to the cryptographicalgorithm to obtain a MIC′. For example, if the AP had indicated duringthe initial WUR mode negotiation that SHA-256 is to be used as theCipher suite to use for pairwise communication, the cryptographicprocess at the STA may be summarized as:

MIC′=Truncate-L(SHA-256(TK′∥TA′∥RA′∥SN′))

If the computed MIC′ matches MIC field of the WUR PPDU 1120, the WUR STAimplicitly identifies itself as being the receiver of the WUR frame andalso concludes that the frame is an authentic frame transmitted by itsAP and proceeds to wake its PCR.

As for multicast WUR PPDUs, since more than one WUR STA is required tobe able to authenticate the WUR PPDU, the implicit cryptographic saltmust be the same for all the STAs that are the intended recipients ofthe multicast WUR PPDU. The Timestamp field carried within the mostrecent 802.11 Beacon frame may be used as the implicit cryptographicsalt for multicast WUR PPDUs. For example, if TSF represents the currentvalue of the Timestamp field of the most recently transmitted Beaconframe 1130, the AP uses its secret Group Key negotiated for themulticast group, for example the Temporal Key (TK) portion of the GroupKey GTK, IGTK or W-GTK, the BSSID and Group ID (GID) of the recipientmulticast group, as well as the TSF as input to the cryptographicalgorithm to obtain a MIC. For example, if the AP uses AES-128-CMAC togenerate the MIC, the cryptographic process at the AP may be summarizedas:

MIC=Truncate-L(AES-128-CMAC(TK∥BSSID∥GID∥TSF))

Here, AES-128-CMAC (TK∥BSSID∥GID∥TSF) is used to represent the output ofthe AES-128-CMAC algorithm that takes TK, BSSID, GID and TSF as inputs.

The AP replaces the Address field of the multicast WUR PPDU 1140 withthe generated MIC, sets the security bit to 1 and computes the FCS overthe entire WUR frame carried within the WUR PPDU and transmits thesecure multicast WUR PPDU 1140.

At a receiving WUR STA, every time it receives a Beacon frame from itsAP, it saves the timestamp field carried in the most recently receivedBeacon frame 1130 in memory as TSF. Subsequently when the STA receives asecure WUR frame and if the Frame Type of the received WUR frameindicates multicast frame, and if the STA belongs to a multicast group,it uses its Group Key GTK, IGTK or W-GTK, the BSSID of its BSS and theGroup ID (GID′) of the multicast group that the STA belongs to as wellas the saved timestamp TSF′ as input to the cryptographic algorithm toobtain a MIC′. For example, if the AP had indicated during the initialWUR mode negotiation that AES-128-CMAC is to be used as the Cipher suiteto use for pairwise communication, the cryptographic process at the STAmay be summarized as:

MIC′=Truncate-L(AES-128-CMAC(TK′∥BSSID∥GID′∥TSF′))

If the computed MIC′ matches the MIC field of the WUR PPDU 1140, the WURSTA implicitly identifies itself as being the receiver of the multicastWUR frame and also concludes that the frame is an authentic frametransmitted by its AP and proceeds to wake its PCR.

It may be possible that a WUR STA is operating in the WUR mode for avery long stretches of time and only needs to be woken up veryinfrequently. In such cases, it is possible that the WUR STA does notswitch to PCR mode very often. However such WUR STAs would still bereceiving WUR Beacon frames regularly in order to maintain timesynchronization with the AP. For such WUR STAs, the AP may instead usethe P-TSF carried within the most recent WUR Beacon frame that the WURSTA is known to have received as the cryptographic salt for the nextsecure WUR frame that is address to the STA. For example, an AP may beaware of the WUR Beacon frames that a WUR STA listens to, based on theinformation such as the WUR STA's duty cycle. An example is shown in theframe exchange sequence 1150. If the AP is aware that the WUR STA willlisten to the WUR Beacon 1160, and if P-TSF represents the value of theP-TSF field of the WUR Beacon frame 1160, the AP saves the P-TSF valuein memory. Subsequently when the AP needs to wake the STA, the AP usesits secret Key, for example the Temporal Key (TK) portion of thepairwise secret Key PTK or W-PTK, the BSSID and the Receiver Address(RA) of the recipient WUR STA, as well as the saved P-TSF as input tothe cryptographic algorithm to obtain a MIC. For example, if the AP usesAES-256-CMAC to generate the MIC, the cryptographic process at the APmay be summarized as:

MIC=Truncate-L(AES-256-CMAC(TK∥BSSID∥RA∥P-TSF))

The AP replaces the Address field of the WUR PPDU 1170 with thegenerated MIC, sets the security bit to 1 and computes the FCS over theentire WUR frame carried within the WUR PPDU and transmits the securemulticast WUR PPDU 1170.

At a receiving WUR STA, every time it receives a WUR Beacon frame fromits AP, for example the WUR Beacon 1160, it saves the P-TSF fieldcarried in the WUR Beacon in memory as P-TSF′. Subsequently when the STAreceives a secure WUR frame, it uses its secret Key, the BSSID of itsBSS and its WID as RA as well as the saved P-TSF′ as input to thecryptographic algorithm to obtain a MIC′. For example, if the AP hadindicated during the initial WUR mode negotiation that AES-256-CMAC isto be used as the Cipher suite to use for pairwise communication, thecryptographic process at the STA may be summarized as:

MIC′=Truncate-L(AES-256-CMAC(TK′∥BSSID∥RA′∥P-TSF′))

If the computed MIC′ matches MIC field of the secure WUR frame carriedby the WUR PPDU 1170, the WUR STA implicitly identifies itself as beingthe receiver of the WUR frame and also concludes that the frame is anauthentic frame transmitted by its AP and proceeds to wake its PCR.

If the WUR Beacon frames also carry a monotonically increasing WURBeacon Number, instead of using P-TSF as the cryptographic salt, the WURBeacon Number may also be used by the AP and WUR STAs as thecryptographic salt for the MIC computation.

In the event that some of the WUR STAs have very low duty cycle, or haveduty cycles that do not coincide with other WUR STAs, it will bedifficult to ensure that such WUR STAs have received the TSF or P-TSF ofthe most recent PCR Beacon frame or the most recent WUR Beacon framerespectively. In such cases, the AP and WUR STAs may keep track of thesequence number of the Target WUR Beacon Transmit Time (TWBTT) for eachWUR STA. Since the WUR Beacon Interval, the periodic interval at whichthe AP transmits WUR Beacons, is known to all WUR STAs, even withoutreceiving a WUR Beacon a WUR STA is still able to keep track of thesequence number of the most recent TWBTT. This sequence number may thenbe used as the cryptographic salt for the MIC computation.

Fourth Embodiment

Even though cryptographic functions such as HMAC or CMAC are widely usedin wireless communication systems and are considered much simpler thanmany other cryptographic functions, in certain very resource constraineddeployments, even a hash computation may take up significant resourcefor a WUR STA when it is operating in WUR mode. In such cases, the APmay have to relax the definition of secure WUR frame and rely on commonknowledge of some secret information that is known to both the AP andthe WUR STA to protect the WUR frames. As an example, during each PCRsession, the AP provides a randomly generated secret number r_STA to theWUR STA within an encrypted WUR Action frame 1210 which may be similarto the frame 1050 in FIG. 10B except that the MIC element carries therandom number r_STA instead of a MIC. The WUR STA saves the randomnumber in memory as r_STA′. Subsequently, when the AP needs to wake theWUR STA, the AP replaces the Address field of the WUR PPDU 1220 with thegenerated MIC, sets the security bit to 1 and computes the FCS over theentire WUR frame carried within the WUR PPDU and transmits the secureWUR PPDU 1220. A receiving WUR STA compares the Address field 244 withthe saved r_STA′ and if there is a match the WUR STA implicitlyidentifies itself as being the receiver of the WUR frame and alsoconcludes that the frame is an authentic frame transmitted by its AP.The WUR STA also checks against replay attacks by checking that therandom number carried in the Address field 244 has never been used inthe past and if true proceeds to wake its PCR. The AP again provides anew random number that has never been used before, to the STA usingencrypted WUR Action frame to be used for the next secure WUR frame andso on.

Fifth Embodiment

In the first embodiment, it was mentioned that for each WUR STA thatnegotiates secure WUR mode with an AP, the AP may provide a randomnumber to use as the base number to generate the cryptographic salt forWUR frame types that do not carry a unique number that may be used assalt for the cryptographic computation. Both AP and WUR STA implicitlygenerate the cryptographic salts to be used for next WUR frames byincrementing their respective base number. As an alternative, in orderto reduce the risk of lack of synchronization of the cryptographic saltsbetween the AP and WUR STAs, the AP provides the WUR STA a range ofnumbers to use as the cryptographic salt. Using a WUR Action frame 1350,the AP may provide the Crypto Salt Base 1366 as well as a Crypto SaltRange Exponent 1368 to use for a particular WUR frame type as indicatedby the Frame Type field 1364. As an example, if S_SN represents thevalue of the Crypto Salt Base 1366 and NUM_SN represents the value ofthe Crypto Salt Range Exponent 1368, the AP may indicate numbers in therange [S_SN, S_SN+2^(NUM_SN)−1]. Upon receiving the cryptographic saltrange, using the specified cryptographic algorithm, the WUR STA may useits secret pairwise Key, the BSSID of its BSS and its WID as RA asinputs to pre-compute the MIC values for each cryptographic salt in therange and save the MIC values in memory for future use during WUR mode.Table 1400 in FIG. 14 shows an example table of MIC values computed by aWUR STA with S_SN=100 and NUM_SN=8. Here the MIC values have beentruncated to 16 bits. When the AP needs to wake a WUR STA, the AP usesits secret pairwise Key, for example the Temporal Key (TK) portion ofthe pairwise secret Key PTK or W-PTK, the BSSID and the Receiver Address(RA) of the recipient WUR STA, and starts with the first CSN in theseries as the cryptographic salt as input to the cryptographic algorithmto compute a MIC. The AP replaces the TA field of the secure WUR frame1500 in FIG. 15 with the generated MIC 1516, sets the security bit to 1and computes the FCS over the entire WUR frame 1500 and transmits thesecure WUR PPDU carrying the WUR frame 1500.

Subsequently when a WUR STA receives the secure WUR frame 1500, it firstcompares the RA field 1514 with its own WUR ID and if there is a match,it proceeds to compare the WUR frame type and if a MIC table for theframe type exists in its memory, the STA compares the MIC field 1516with the stored MIC values in ascending order, starting from the lastused MIC value and if there is a match the WUR STA implicitly identifiesitself as being the receiver of the WUR frame and also concludes thatthe frame is an authentic frame transmitted by its AP and proceeds towake its PCR. Once the AP uses up all the cryptographic salt in thespecified range, it provides a new range of cryptographic salt to theWUR STA for the use to verify subsequent secure WUR frames.

The process for secure multicast WUR frames is very similar. The APprovides a separate range of cryptographic salt to WUR STAs to verifysecure multicast WUR frames. Upon receiving the cryptographic saltrange, using the specified cryptographic algorithm, the WUR STA may useits secret Group Key, the BSSID of its BSS and the Group ID of themulticast group that it belongs to as RA as inputs to pre-compute theMIC values for each cryptographic salt in the range and save the MICvalues in memory for future use during WUR mode. When the AP needs towake a group of WUR STAs, the AP uses its Group Key, for example theTemporal Key (TK) portion of the Group Key GTK, IGTK or W-GTK, the BSSIDand the Group ID of the recipient multicast group, and starts with thefirst CSN in the series as the cryptographic salt as input to thecryptographic algorithm to compute a MIC. The AP replaces the TA fieldof the secure multicast WUR frame 1600 in FIG. 16 with the generated MIC1616, sets the security bit to 1 and computes the FCS over the entireWUR frame 1600 and transmits the secure WUR PPDU carrying the multicastWUR frame 1600.

Each WUR STA that receives the secure multicast WUR frame 1600 comparesthe WUR frame type and if a MIC table for the frame type exists in itsmemory, the STA compares the MIC field 1616 with the stored MIC valuesin ascending order, starting from the last used MIC value and if thereis a match the WUR STA implicitly identifies itself as being one of thereceiver of the multicast WUR frame 1600 and also concludes that theframe is an authentic frame transmitted by its AP and proceeds to wakeits PCR. Once the AP uses up all the cryptographic salt in the specifiedrange, it provides a new range of cryptographic salts to the group ofWUR STAs to use to verify subsequent secure multicast WUR frames.

Sixth Embodiment

A recent IEEE 802.11ba proposal, IEEE 802.111-17/1004r01 proposes asimilar idea of creating a secure WUR frame by adding a MessageIntegrity Check (MIC) field to a WUR frame. The BSSID field which isgenerally used as an AP's transmitter address (TA) as well as the TimingSynchronization Function (TSF) maintained by the AP and STAs are used asan input for the MIC computation. The MIC is computed over the whole WURframe using secret group key (e.g., IGTK) and the FCS field is replacedwith the computed MIC field. Any error in the WUR frame duringtransmission will result in the MIC verification failing at thereceiver, thereby performing the function of the FCS field. However, theproposal suffers from some drawbacks as explained below:

a) using the TSF as input for the MIC computation would require somepre-processing at both the transmitter (AP) as well as the receivers(WUR STAs) of the secure WUR frames as detailed in the currentdisclosure as follows.

b) Group keys are meant to be used for broadcast/multicast transmissionsand may be known to all associated STAs. IGTK/GTK or any other group keyis susceptible to “Insider attack,” i.e., attack by a device that isalso associated with same AP since it knows the IGTK/GTK. Since the“inside attacker” knows the IGTK, it can easily create forged secure WURPPDUs with valid MIC.

FIG. 17 shows the format of a TSF 1700 that is maintained by all IEEE802.11 devices operating in infrastructure mode. The TSF 1700 is a64-bits long counter with a time resolution of 1 microsecond and helpsall the 802.11 devices in a BSS maintain time synchronization with theAP. An AP periodically broadcasts the current value of its TSF using theTimestamp field of the Beacon frames. Each STA that receives the Beaconframes from the AP that the STA is associated with, replaces its localTSF with the received timestamp after adjusting for the receiverprocessing delays. For easy referencing, starting from bit 0, the TSF1700 may be divided into eight octets from TSF-0 to TSF-7 as shown inFIG. 17 .

FIG. 18 shows the frame format of a secure WUR frame 1800 as per thesixth embodiment. The Mac header 1810 of the WUR frame 1800 comprises aFrame control field 1812, a Receiver Address (RA) field 1814 and aPartial TSF (P-TSF) field 1816. The frame control field follows the sameformat as the Frame control field 812 in FIG. 8 . In order todifferentiate secure WUR frames from unsecure WUR frames, the AP setsthe Security bit within the Frame Control field 812 to 1. The Securitybit alerts the receiving WUR STA of the presence of a MIC field withinthe WUR frame. The RA field 1814 may be set to a receiving WUR STA'sassigned WUR ID (WID), for example its AID12. The P-TSF field 1816 isused for time synchronization during the WUR mode and the AP may chooseto transmit the TSF-1 octet of the TSF 1700 in FIG. 17 as the P-TSF. TheFrame body field 1820 is optional and may only be present in certainframe types. In order to create a secure WUR frame, the AP computes aMIC over the entire WUR frame using a pre negotiated cryptographicfunction and with the TSF as the cryptographic salt. The AP's TA (BSSID)is also used as additional input for the MIC computation. The FCS fieldof the frame is replaced by the computed MIC field 1830 which serves asan authentication tag and at the same time also serves to detect anyerror in the WUR frame.

Using the local TSF directly for the MIC computation however is notfeasible due to the synchronization loss issue as explained below. UsingTSF-1 octet of the TSF 1700 in FIG. 17 as the P-TSF will give a partialtimestamp with a resolution of 256 μS and a roll over period of 65536μS. The choice of the bits of TSF to be used as P-TSF may depend on theWUR deployment scenario and may have been negotiated between the AP anda WUR STA during the initial WUR negotiation phase. If the TSF-1 octetis used as the P-TSF, the TSF-0 fields of the AP and STA cannot beexpected to be in synchronization. As such, the TSF bits smaller thanthe P-TSF should not be used in the MIC computation. In addition, a WURSTA running in WUR mode may not receive the 802.11 Beacon frames veryregularly and as such the local TSF maintained by the WUR STA may not beso tightly synchronized with the AP's TSF. Even though the WUR STA usesthe partial timestamp carried in the P-TSF fields in broadcast WURframes such as WUR Beacons to keep the corresponding bits of its localTSF in synchronization, due to the limited number of bits available forthe P-TSF field, the partial timestamp will roll over on a regular basisand the higher octets of the TSF will need to be incremented. Due tohardware limitation, both the AP's as well as the WUR STA's clocks areexpected to have some clock drift which is expressed as ±ppm (parts permillion). Typically, a WUR STA may be implemented using much cheaperhardware components as compared to the AP and are expected to experiencea much larger clock drift. Table 1900 in FIG. 19 illustrates an exampleof the timing synchronization issue that may occur due to the clockdrift error when the AP chooses to transmit the TSF-1 octet of the TSF1700 in FIG. 17 as the P-TSF. The example assumes a total clock drift of±200 ppm between as AP and a WUR STA, i.e., the AP's and the WUR STA'sclock differs by 200 units for every million units. The top half oftable 1900 shows the case where the STA's clock is running faster thanthe AP′ clock, while the bottom half shows the opposite case. For sakeof brevity, only the TSF-1 octet (8:15 bits) and the TSF-2 octets (16:23bits) of the TSF are shown. Assuming that the WUR Beacons aretransmitted once every 10 seconds, at the end of a 10 seconds periodsince the last WUR Beacon was received, the WUR STA's clock would havedrifted forward almost 2000 μS during this time and its TSF-1:TSF-2 mayroll over to 0:201 while the AP's TSF-1:TSF-2 is still at 249:200 asshown in row 1910. The AP's and WUR STA's TSF-2 re-synchronizes to 201only after seven more units at row 1919. Similarly, in the reverse casethe WUR STA's clock would have drifted behind almost 2000 μS during oneWUR Beacon interval and its TSF-1:TSF-2 may still be at 248:200 whilethe AP's TSF-1:TSF-2 has already roll over to 0:201 as shown in row1930. The AP's and WUR STA's TSF-2 re-synchronizes to 201 only afterseven more units at row 1940. This shows that if the WUR STA missed oneWUR Beacon, there is a “TSF misalignment window” of almost 4000 μSduring which the AP's and STA's TSF are misaligned. If the STA missedmore WUR Beacons, the “TSF misalignment window” will only grow bigger.In general, n, the maximum number of WUR Beacons that may be skipped andstill allows a WUR STA to recover the TSF synchronization is determinedby:

maximum drift by missing n WUR Beacons≤(roll over period)/2

The roll over period is determined by the number of bits used for theP-TSF field and its resolution and is calculated as 2^(l)*r, where l isthe number of bits used for the P-TSF and r is the resolution of P-TSF.Since a WUR STA would need to use the exact same value of TSF as used bythe AP in order to correctly verify the MIC, both the AP and WUR STAsneed to pre-process the respective local TSF to factor in the impact ofthe clock drift before using the TSF as an input for the MICcomputation. In general, the following step can be taken to rectify theTSF misalignment during the “TSF misalignment window”:

If the P-TSF in the received WUR frame is greater than the STA'scorresponding TSF bits by more than (roll over period)/2 units, the STAcan assume that the STA's clock is faster and a roll over has occurredat the STA and can adjust its higher TSF octets by decrementing by one.

Similarly, if the P-TSF in the received WUR frame is lesser than theSTA's corresponding TSF bits by (roll over period)/2 units or more, theSTA can assume that the STA's clock is slower and a roll over hasoccurred at the AP and can adjust its higher TSF octets by incrementingby one. For our example, using TSF-1 octet of the TSF 1700 in FIG. 17 asthe P-TSF, the roll over period can be calculated as 2⁸*256 μS=65536 μS.Hence, the maximum number of WUR beacons that may be missed may becomputed to be 16 which translate to a maximum “TSF misalignment window”of 32000 μS=125 units at P-TSF resolution of 256 μS. The following stepcan be taken to rectify the TSF misalignment during the “TSFmisalignment window”:

If the P-TSF in the received WUR frame is greater than the STA's TSF-1octet by more than 125 units, the STA can assume that the STA's clock isfaster and a roll over has occurred at the STA and can adjust its higherTSF octets by decrementing by one.

Similarly, if the P-TSF in the received WUR frame is lesser than theSTA's TSF-1 octet by more than 125 units, the STA can assume that theSTA's clock is slower and a roll over has occurred at the AP and canadjust its higher TSF octets by incrementing by one.

Referring to FIG. 20 , the above mentioned pre-processing of TSF isillustrated schematically. 2010 represents the local TSF maintained byan AP (TSF) or a WUR STA (TSF′). 2020 represents the copy of the localTSF (TSF*) after going through the pre-processing. When TSF-1 is used asthe P-TSF field by the AP, at the AP, the TSF-0 bits are masked to allzeroes to form TSF* and the TSF-1 octet is copied to the P-TSF field1816 in FIG. 18 . TSF* is then used as the cryptographic salt for theMIC computation and the FCS field of the WUR frame 1800 is replaced withthe computed MIC 1830. At the receiving WUR STA, a copy TSF* is made ofthe local TSF′ and the TSF-0 octet 2022 is masked to all zeroes. Nextthe TSF-1 octet 2024 is replaced by the P-TSF field 1816.

If the WUR frame 1800 in FIG. 18 is a unicast frame, the AP uses itssecret Key, for example the Temporal Key (TK) portion of the pairwisesecret Key PTK or W-PTK, the BSSID as well as the pre-processed TSF* asinput to the cryptographic algorithm to compute the MIC over the entireWUR frame except the FCS field (i.e., the MAC header 1810 as well as theoptional Frame Body 1820 if it exists). Usually, the output of astandard cryptographic function may be too long to directly use in WURPPDUs and may need to be truncated to fit the limited size of the WURframes.

For example, if the AP uses a cryptographic hash function SHA-256 togenerate the MIC, the cryptographic process at the AP may be summarizedas:

MIC=Truncate-L(SHA-256(TK∥WUR Frame*∥BSSID∥TSF*))

TK=Temporal Key (TK) portion of the pairwise secret Key PTK or W-PTK andits length depends on the Cipher suite selected during the 4 wayhandshake, for example 128 bits for CCMP-128, etc.WUR Frame*=the MAC header 1810 as well as the optional Frame Body 1820BSSID=the Basic Service Set Identifier (BSSID) of the BSS)=MAC addressof the APTruncate-L=function to truncate the output of the SHA-256 function (128bits) to L bits.L=number of bits of the FCS field 252x∥y=concatenation of x and y

The AP replaces the FCS field of the WUR frame 1800 with the generatedMIC 1830, and transmits the secure WUR frame 1800.

At a receiving WUR STA, when it receives the secure WUR frame 1800 andafter determining it to be a unicast WUR frame, confirms that the RAfield 1814 matches the STA's WID. If the RA matches, the STA uses itssecret key, for example the Temporal Key (TK′) portion of the pairwisesecret Key PTK or W-PTK, its BSSID′ as well as the pre-processed TSF* asinput to the cryptographic algorithm over the entire WUR frame exceptthe FCS field (i.e., the MAC header 1810 as well as the optional FrameBody 1820 if it exists) to obtain a MIC′. For example, if the AP hadindicated during the initial WUR mode negotiation that SHA-256 is to beused as the Cipher suite to use for pairwise communication, thecryptographic process at the STA may be summarized as:

MIC′=Truncate-L(SHA-256(TK′∥WUR Frame*∥BSSID′∥TSF*))

If the computed MIC′ matches MIC field of the secure WUR frame carriedby the WUR frame 1800, the WUR STA implicitly identifies itself as beingthe receiver of the WUR frame and also concludes that the frame is anauthentic frame transmitted by its AP and proceeds to wake its PCR.

Referring to FIG. 21 , an alternate method 2100 of generating a secureWUR frame by reusing the 802.11 CCMP cryptographic encapsulation isillustrated. Even though a simple cryptographic hash function could beused to produce a MIC for authentication of WUR frames, the AP may alsochoose to reuse the IEEE 802.11 CCMP cryptographic encapsulation used toencrypt PCR transmission to generate the MIC field 1830. Although theIEEE 802.11 CCMP cryptographic encapsulation is used during PCR toencrypt Data frames and Management frames, it also generates a MIC toauthenticate the contents of the MAC headers. Even though WUR frames donot need to be encrypted, the IEEE 802.11 CCMP cryptographicencapsulation process can be reused to generate the MIC used forauthenticating WUR frames. The AP can specify that CCMP is to be used togenerate the MIC during the WUR mode negotiation by specifying in theWUR Security element 520 in FIG. 5 that CCMP-128 in table 700 in FIG. 7is to be used as the cipher suite. A secure WUR frame is generated usingCCMP using following steps:

a) The TSF 2122 is preprocessed as described earlier by creating a copyTSF* and masking the n least significant bits (LSB) of TSF* to zero,where n is the bit index of the LSB of the P-TSF. For example if TSF-1is used as the P-TSF, n=8 and the 8 LSB of TSF, i.e., bit-0 to bit-7 aremasked to zero.

b) The unsecure WUR frame 2110 is marked as a secure WUR frame bysetting the Security bit 814 in the Frame Control field 812 in FIG. 8and the entire WUR frame (including the optional frame body 1820 in FIG.18 , if present) is used as the Additional Authentication Data (AAD)2116.

c) A CCM Nonce block 2118 is constructed from the BSSID 2120 and theTSF* 2114.

d) The AAD 2116, the Nonce block 2118 and the AP's Temporal Key (TK)2124 are fed to the Cryptographic circuitry 2130, which in this case isthe CCM encryption module to obtain the MIC 2132.

e) The generated MIC 2132 is then truncated to fit the FCS field 252 inFIG. 2 .

f) Finally, the Secure WUR frame 2150 is formed by appending the MIC2132 to the MAC Header and frame body 2112.

The procedure of authenticating a secure WUR frame at the receiving WURSTA using the CCMP cryptographic function is illustrated in FIG. 22 . AWUR STA authenticates a secure WUR frame using following steps:

a) The secure WUR frame 2210 is parsed to separate the MAC Header andframe body 2212, The P-TSF 2214 and the MIC field 2216.

b) The MAC Header and frame body 2212 are used as the AdditionalAuthentication Data (AAD) 2230.

c) The local TSF′ 2220 is preprocessed as described earlier by creatinga copy TSF* and masking the n least significant bits (LSB) of TSF* tozero, where n is the bit index of the LSB of the P-TSF. For example ifTSF-1 is used as the P-TSF, n=8 and the 8 LSB of TSF, i.e., bit-0 tobit-7 are masked to zero. The bits corresponding to the P-TSF field arereplaced with the P-TSF 2214 and the higher bits of the TSF* areadjusted for clock drift (TSF misalignment) as described earlier to formthe pre-processed TSF* 2232.

d) CCM Nonce block 2234 is constructed from the BSSID 2222 and the TSF*2232.

e) The AAD 2230, the Nonce block 2234 and the STA's Temporal Key (TK)2224 are fed to the Cryptographic circuitry 2250, which in this case isthe CCM encryption module to obtain a MIC.

f) The generated MIC is truncated to the length of the FCS field 252 inFIG. 2 to form MIC′ 2252. The MIC′ is compared with the MIC 2216 fromthe secure WUR frame 2210 and if the two are the same, the MICverification passes and the WUR frame is deemed authentic. The MICverification also ensures that the WUR frame is error free.

g) Since the TSF is used in the computation of the MIC, the MICverification also acts as implicit replay check. However, as an addedreplay protection measure, the local TSF′ and the processed TSF* mayundergo further replay check, for example by ensuring that thedifference between TSF′ and TSF* is less than the P-TSF roll overperiod. If the replay check 2244 passes, the MAC Header and frame body2212 is passed for further processing as an authentic unsecure WUR frame2260. At this time, the local TSF′ may also be updated with theprocessed TSF* after accounting for delay if any during thecryptographic verification process.

Referring to FIG. 23 , one option for a secure multicast frame 2300 isillustrated. As mentioned earlier, multicast WUR frames are addressed toa group of WUR STAs and as such Group Key that is known to all the STAsof the multicast group has to be used to create secure multicast frames.Usually in one infrastructure BSS, only one GTK and one IGTK isgenerated at a time, and all the STAs in the BSS that has negotiatedsecure transmission with the AP would have received the Group Keys fromthe AP. However, use of Group Key leads to vulnerability to “Insiderattack,” i.e., attack by another device that is also associated with thesame AP since it knows the IGTK/GTK. Since the “inside attacker” knowsthe GTK/IGTK, it can easily create forged secure WUR PPDUs with validMIC. In order to lessen the risk of the so called “Insider attack,”every time a new multicast group is formed, the AP derives a new set ofGroup Key (either GTK or IGTK) that is associated with that particularmulticast group, and with the Group ID assigned to the multicast group.The WUR Security element 520 may be used to transfer the Group Key toeach member of the multicast group. The Group ID field 568 in this caseis set as the Group ID assigned to the multicast group and the encryptedGroup Key is carried within the Wrapped Key field 580. The AP createsthe secure multicast WUR frame 2300 in the same way that it creates asecure unicast WUR frame, except that the RA field 2314 is set to theGroup ID of the multicast Group and the MIC field 2330 is computed usingthe Group Key assigned to the particular multicast Group instead ofusing the common Group Key used for broadcast frames. At the receivingWUR STAs, if the RA field 2314 of a secure multicast WUR frame matchesthe Group ID of a multicast group that the STA belongs, the STA uses theGroup key associated with the multicast group to compare the MIC andauthenticate the multicast WUR frame. Only if the MIC verificationpasses, the multicast WUR frame is processed and the STA may proceed towake its PCR. Using different Group Keys for different multicast groupslimit the scope of an “insider attack” to a particular multicast groupsince an attacker that belong to one multicast group does not possessthe Group Key for another multicast group and hence would be unable tolaunch an “inside attack.”

Referring to FIG. 24 , an alternate option for a secure multicast frame2400 is illustrated. This option is applicable if the multicast groupsare not assigned a Group ID but rather the targeted recipients of amulticast WUR frame are identified by including a Paged list of the RAsof the group member STAs, or if the multicast frame is only addressed tofew STAs of a multicast group. The RA field of the multicast frame maybe set to the multicast Group ID, if assigned; else it may be set as theRA of one of the member STA of the multicast Group. The WUR frame inthis case carries a frame body and this is indicated using a non-zerovalue in the Length field 815 in FIG. 8 . The frame body carries thelist of the RAs of the rest of the multicast STAs addressed by theframe. For such multicast frame format, a two-tier authentication may beused to create a secure multicast WUR frame at the AP using:

a) First, a hash value is created for each of the RA of the addressedSTAs by using the Temporal Key (TK) portion of the pairwise secret KeyPTK or W-PTK negotiated between the AP and each STA. For example, if RA1represent the RA of a STA, TSF* represents the processed TSF asexplained earlier, and assuming SHA-256 is used as the hash function, ahash RA may be created at the AP as:

RA=Truncate-L(SHA-256(TK∥RA1∥BSSID∥TSF*))

-   -   L=number of bits of the address field 244 in FIG. 2

b) Each of the RA field of the unsecure multicast WUR frame is replacedwith the corresponding computed hash values 2414, 2422 . . . 2424, andthe security bit within the Frame Control field 2412 is set to 1.

c) Second, the MIC is computed using the Group Key over the entire WURframe 2400, except for the FCS field, similar to the proceduresdescribed earlier and the FCS field is replaced with the generated MIC2430.

At a receiving WUR STA, if the STA belongs to a multicast group, a MIC′is computed using the Group Key over the entire WUR frame 2400, exceptfor the FCS field, similar to the procedures described earlier. If thecomputed MIC′ matches the MIC field 2430, the STA creates a hash valueof its WID by using the Temporal Key (TK′) portion of the pairwisesecret Key PTK or W-PTK negotiated between the AP and the STA. Forexample, if RA1 represent the WID of the STA, TSF* represents theprocessed TSF as explained earlier, and assuming SHA-256 is used as thehash function, a hashed RA may be created at the STA as:

RA=Truncate-L(SHA-256(TK′∥RA1∥BSSID′∥TSF*))

L=number of bits of the address field 244 in FIG. 2

The STA next compares each RA field in the multicast WUR frame 2400 withthe hashed RA and if there is a match, the WUR STA implicitly identifiesitself as being one of the receiver of the multicast WUR frame andproceeds to further process the frame, for example to wake its PCR.

Referring to FIG. 25 , the frame format of an unsecure WUR frame 2500 isillustrated. Although, similar in structure to a secure WUR frame, anunsecure WUR frame need not carry the P-TSF in the TD Control field2516. Also, the FCS field is used to carry the Cyclic Redundancy Check(CRC) 2530 which is computed over the whole WUR frame in order to detecterrors during transmission. Since the WUR frame is comparatively short,8 to 12 bits of CRC should suffice and as such the FCS field for anunsecure WUR frame can be shorter than the FCS field in a secure WURframe that carries a MIC. For example, assuming a 12 bits P-TSF field, a12 bits long CRC field and a 16 bits long MIC, an unsecure WUR frame canbe shorter than a secure WUR frame by 16 bits. In closed doorapplication where security is not a big concern, having different sizesfor secure and unsecure WUR frame may help WUR STAs save more power dueto the shorter lengths of unsecure WUR frames.

Seventh Embodiment

Instead of using a timestamp as a replay protection, it is also possibleto use a monotonically increasing sequence number or a packet number toachieve replay protection. FIG. 26 shows a 48 bit long Packet Number(PN) that may be used to provide replay protection for WUR PPDUs. Forthe ease of referencing, the PN may be divided into 6 octets andreferred to as PN-0, PN-1, PN-2, PN-3, PN-4 and PN-5, with PN-0 beingthe lowest octet and PN-5 being the highest octet. With 48 bits, the PNis enough to provide a unique number to the WUR PPDUs without having toworry about roll over of the PN number space. The AP maintains a uniquePN for every secret Key that it negotiates for transmission of secureWUR PPDUs and makes sure that for a given secret Key, the PN is neverrepeated during the transmission of WUR PPDUs. If separate secret Keysare negotiated exclusively for use with WUR PPDUs, the PNs maintainedfor WUR PPDUs are different from the ones used during PCR. Since the WURPPDU has limited number of bits available to carry the packet number,only a portion of the PN is carried by the WUR PPDUs, while theremaining bits of the PN is maintained locally. The portion of the PNthat is carried by the WUR PPDUs may be referred to as Partial PN(P-PN). For example, only the PN-0 octet may be carried in the WUR PPDUswhile the rest of the PN octets are not transmitted. Each WUR STA thathas negotiated secure WUR PPDUs maintains a local PN and every time avalid secure WUR PPDU is received, the WUR STA replaces thecorresponding bits of the PN with the P-PN received in the WUR PPDU. Ifseparate secret Keys are negotiated exclusively for use with WUR PPDUs,the PNs maintained for WUR PPDUs are different from the ones used duringPCR. If the value of the received P-PN is less than the value of thecorresponding bits of the PN, the higher bits of the PN is incrementedby one to account for rollover of the P-PN bits.

FIG. 27 shows the frame format of a secure WUR frame 2700 as per theseventh embodiment. The Mac header 2710 of the WUR frame 2700 consistsof a Frame control field 2712, a Receiver Address (RA) field 2714 and aPartial PN (P-PN) field 2716. The frame control field follows the sameformat as the Frame control field 812 in FIG. 8 . In order todifferentiate secure WUR frames from unsecure WUR frames, the AP setsthe Security bit within the Frame Control field 2712 to 1. The Securitybit alerts the receiving WUR STA of the presence of a MIC field withinthe WUR frame. The RA field 2714 may be set to a receiving WUR STA'sassigned WUR ID (WID), for example its AID12. The P-PN field 1816 isused as a partial packet number and the AP may choose to transmit thePN-0 octet of the PN 2600 in FIG. 26 as the P-PN. The Frame body field2720 is optional and may only be present in certain frame types. Inorder to create a secure WUR frame, the AP computes a MIC over theentire WUR frame using a pre negotiated cryptographic function and withthe PN associated with the secret Key used for the MIC computation asthe cryptographic salt. The AP's TA (BSSID) is also used as additionalinput for the MIC computation. The FCS field of the frame is replaced bythe computed MIC field 2730 which serves as an authentication tag and atthe same time also serves to detect any error in the WUR frame.

If the WUR frame 2700 in FIG. 27 is a unicast frame, the AP uses itssecret Key, for example the Temporal Key (TK) portion of the pairwisesecret Key PTK or W-PTK, the BSSID as well as the PN associated with thepairwise secret Key as input to the cryptographic algorithm to computethe MIC over the entire WUR frame except the FCS field (i.e., the MACheader 2710 as well as the optional Frame Body 2720 if it exists).

For example, if the AP uses a cryptographic hash function SHA-256 togenerate the MIC, the cryptographic process at the AP may be summarizedas:

MIC=Truncate-L(SHA-256(TK∥WUR Frame*∥BSSID∥PN))

TK=Temporal Key (TK) portion of the pairwise secret Key PTK or W-PTK andits length depends on the Cipher suite selected during the 4 wayhandshake, for example 128 bits for CCMP-128, etc.WUR Frame*=the MAC header 1810 as well as the optional Frame Body 1820BSSID=the Basic Service Set Identifier (BSSID) of the BSS)=MAC addressof the APTruncate-L=function to truncate the output of the SHA-256 function (128bits) to L bits.L=number of bits of the FCS field 252x∥y=concatenation of x and y

The AP replaces the FCS field of the WUR frame 2700 with the generatedMIC 2730, and transmits the secure WUR frame 2700.

At a receiving WUR STA, when it receives the secure WUR frame 2700 andafter determining it to be a unicast WUR frame, confirms that the RAfield 2714 matches the STA's WID. If the RA matches, the STA uses itssecret key, for example the Temporal Key (TK′) portion of the pairwisesecret Key PTK or W-PTK, its BSSID′ as well as the local PN′ (afterupdating with the received P-PN 2716) as input to the cryptographicalgorithm over the entire WUR frame except the FCS field (i.e., the MACheader 2710 as well as the optional Frame Body 2720 if it exists) toobtain a MIC′. For example, if the AP had indicated during the initialWUR mode negotiation that SHA-256 is to be used as the Cipher suite touse for pairwise communication, the cryptographic process at the STA maybe summarized as:

MIC′=Truncate-L(SHA-256(TK′∥WUR Frame*∥BSSID′∥PN′))

If the computed MIC′ matches MIC field of the secure WUR frame carriedby the WUR frame 2700, the WUR STA implicitly identifies itself as beingthe receiver of the WUR frame and also concludes that the frame is anauthentic frame transmitted by its AP and proceeds to wake its PCR.

Even though a WUR STA tries to keep its local PN synchronized with theAP's PN, at times the two may be out of synchronization. This would leadto MIC verification failure at the WUR STA and a WUR PPDU would turn upwith corrupted MIC at the STA. A WUR STA may detect a PN synchronizationissue when it keep receiving WUR PPDUs with a RA field that matches itsWID but the MIC verification keeps failing. In order to recover fromsuch PN synchronization issue, a WUR STA may transmit a WUR Action frame2800 in FIG. 28 to the AP to request a PN update. The WUR Action frame2800 is the same as the WUR Action frame 500 in FIG. 5 with anadditional PN update element 2810. A WUR STA sets the Request/Responsebit 2822 in the PN Update field 2820 to Request to request a PN update.The STA also sets the Unicast bit 2822, Multicast bit 2824 or theBroadcast bit 2826 to indicate which PN update it is requesting. Uponreceiving a request for PN update, the AP transmits the WUR Action frame2800 with the Request/Response bit 2822 in the PN Update field 2820 setto Response and the PN field 2824 carrying the value of the PNmaintained by the AP for the corresponding Key (unicast, multicast orbroadcast). Upon receiving the PN update element, the WUR STA replacesits local PN with the PN field 2828.

Eight Embodiment

Referring to FIG. 29 , a hybrid solution is presented for securetransmission of WUR frames that do not carry a unique number that may beused as salt for the cryptographic computation. A secure WUR frame 2900may be created as a two-step process. In the first step, the RA field ofthe MAC Header 2910 is replaced with a cryptographic hash value 2914.The hash value may be computed by running the cryptographic functionover the RA field with a random cryptographic salt that is known to boththe AP and the WUR STA, but not transmitted in the WUR frame 2900. Therandom cryptographic salt may be shared between the AP and WUR STA asdisclosed in the first, third or the fifth embodiment. In the secondstep, the MIC field 2930 is computed over the entire WUR frame exceptthe FCS field as disclosed in the sixth and the seventh embodiment. TheFCS field is then replaced with the MIC field 2930. At a receiving WURSTA, first it is verified that the MIC field 2930 is valid and if it is,the hashed RA field 2914 is compared with a locally computed hash value.If the two hash values are identical, the STA identifies itself as arecipient of the WUR frame 2900 and may proceed to wake its PCR. As longa unique cryptographic salt is used for the computation of the hashed RAfield 2914, it can be ensured that the MIC field 2930 will be differentfor each WUR frame and hence a replay attack may be thwarted.

Configuration of an Access Point

FIG. 30 is a block diagram of the PCR 3000 of an example AP thatimplements the secure transmission scheme described in the presentdisclosure. The AP may be the AP 110 in FIG. 1 . The PCR 3000 isconnected to the antenna 3002, and is used for the transmission andreception of 802.11 signals as well as for the transmission of wakeupsignals. PCR 3000 is comprised of an RF/Analog front end 3010, a PHYProcessing unit 3020 and a MAC processing unit 3030 which is connectedto a Cryptographic circuitry 3040.

The RF/Analog front end 3010 is responsible for transfer of analogsignals to/from the antenna 3002 and may comprise sub-components such asAutomatic Gain Control (AGC), Low Pass Filter (LPF), Analog-to-DigitalConverter (ADC) and so on.

The PHY Processing unit 3020 is responsible for the processing of thePHY layer signals and is further comprised of the OFDMmodulator/demodulator unit 3022. The OFDM modulator/demodulator 3022 isresponsible for the OFDM modulation of transmit signals or demodulationof received OFDM signals. On the transmission side, aside from applyingOFDM modulation to 802.11 PPDUs, the OFDM modulator/demodulator 3022 isalso used to generate WUR signal (e.g., OOK) by populating selected OFDMsubcarriers.

The MAC Processing unit 3030 is responsible for various MAC relatedprocessing such as retransmission, fragmentation, aggregation, etc. Inaddition, the MAC Processing unit 3030 also incorporates the WUR payloadgenerator 3032 which is responsible for generating the contents of thepayload carried in WUR packets transmitted by the AP.

The Cryptographic circuitry 3040 is used for the cryptographiccomputation to create secure WUR PPDUs. An AP uses the Cryptographiccircuitry 3040 to generate the Message Integrity Code (MIC) to be usedin secure WUR PPDUs. The Cryptographic circuitry 3040 may also be usedfor encryption and decryption of protected 802.11 frames during the PCRmode.

FIG. 31 is a more detailed block diagram of an example AP 3100 capableof transmitting secure WUR PPDUs, which may be the AP 110 in FIG. 1 .The AP 3100 comprises a Central Processing Unit (CPU) 3130 coupled to amemory 3120, a secondary storage 3140, one or more wirelesscommunication interfaces 3150, as well as other wired communicationinterfaces 3170. The secondary storage 3140 may be a non-volatilecomputer readable storage medium that is used to permanently storepertinent instruction codes, data, etc.

At the time of start up, the CPU 3130 may copy the instruction codes aswell as related data to the volatile memory 3120 for execution. Theinstruction code may be an operating system, user applications, devicedrivers, execution codes, etc., which are required for the operation ofthe AP 3100. The size of the instruction code and hence the storagecapacity of both the secondary storage 3140 as well as the memory 3120may be substantially bigger than that of the STA 3300 in FIG. 33 .

The AP 3100 may also comprise a power source 3110 which in most casesmay be a power mains but in some cases may also be some kind of highcapacity battery for, e.g., a car battery. The wired communicationinterface 3170 may be an ethernet interface, or a powerline interface,or a telephone line interface, etc.

The wireless communication interface 3150 may comprise an interface forcellular communication, or an interface for short range communicationprotocols such as Zigbee, or it may be a WLAN interface. The Wirelessinterface 3150 may further comprise a MAC module 3152 and a PHY module3160. The MAC module 3152 of an AP may be substantially more complicatedthan that of a STA 3300 in FIG. 33 and may comprise many sub-modules.Among other sub-modules, the MAC module 3152 may be comprised of a WURPayload Generator 3158, a PCR payload generator 3154 and a Packetscheduler 3156. The PHY module 3160 is responsible for the conversion ofthe MAC module data to/from the transmission/reception signals and isfurther comprised of an OFDM modulator/demodulator 3162. TheCryptographic circuitry 3164 is used for the cryptographic computationto create secure WUR PPDUs and may also be used for encryption anddecryption of protected 802.11 frames during the PCR mode. The wirelessinterface may also be coupled, via the PHY module, to one or moreantennas 3102 that are responsible for the actual transmission/receptionof the wireless communication signals on/from the wireless medium.

An AP as per the present disclosure may comprise many other componentsthat are not illustrated, for sake of clarity, in FIG. 30 and FIG. 31 .Only those components that are most pertinent to the present disclosureare illustrated.

Configuration of a STA

FIG. 32 illustrates a WUR STA 3200 that is capable of receiving secureWUR PPDUs and is equipped with two separate radios: a PCR 3220 fortransmitting and receiving 802.11 OFDM signals and a WUR 3210 forreceiving WUR signals.

The WUR 3210 is further comprised of several sub components such as anRF/Analog Front End 3212 responsible for receiving the analog radiosignals from the antenna 3202, a WUR Preamble Detection module 3214responsible for detecting and decoding the preamble portion of the wakeup signal, and a WUR Packet Decoding/Processing module 3216 responsiblefor decoding and processing the payload portion of the wakeup signal.

The PCR 3220 is comprised of an RF/Analog front end 3222, a PHYprocessing unit 3230, and a MAC processing unit 3240. The RF/Analogfront end 3222 is responsible for transfer of analog signals to/from theantenna 3202 and may comprise sub-components such as Automatic GainControl (AGC), Low Pass Filter (LPF), Analog-to-Digital Converter (ADC)and so on. The PHY Processing unit 3230 is responsible for theprocessing of the PHY layer signals and is further comprised of an OFDMmodulator/demodulator 3232 that is responsible for the modulation oftransmit OFDM signals or demodulation of received OFDM signals.

The Cryptographic circuitry 3230 is used for the cryptographiccomputation to verify secure WUR PPDUs. A STA uses the Cryptographiccircuitry 3230 to generate the Message Integrity Code (MIC) to be usedfor comparing against the MIC carried in secure WUR PPDUs. TheCryptographic circuitry 3230 may also be used for encryption anddecryption of protected 802.11 frames during the PCR mode.

FIG. 33 is a detailed block diagram of an example STA 3300 that iscapable of receiving secure WUR PPDUs as described in the presentdisclosure and may be STA 130 or STA 140 in FIG. 1 . The STA 3300 iscomprised of a Central Processing Unit (CPU) 3330 coupled to a memory3320, a secondary storage 3340, one or more PCR interfaces 3350 as wella WUR interface 3360. Both the PCR interface 3350 and the WUR interface3360 are connected to the same wireless antenna 3302. The secondarystorage 3340 may be a non-volatile computer readable storage medium thatis used to permanently store pertinent instruction codes, data, etc.

At the time of start up, the CPU 3330 may copy the instruction codes aswell as related data to the volatile memory 3320 for execution. Theinstruction code may be an operating system, user applications, devicedrivers, execution codes, etc., which are required for the operation ofthe STA 3300. The STA 3300 may also comprise a power source 3310 forexample a lithium ion battery or a coin cell battery, etc., or it mayalso be Mains electricity. The PCR interface 3350 may comprise aninterface for cellular communication, or an interface for short rangecommunication protocols such as Zigbee, or it may be a WLAN interface.

The PCR interface 3350 is comprised of a MAC module 3352 and a PHYmodule 3354 which is further comprised of an OFDM Modulator/Demodulator3358.

The WUR interface 3360 is comprised of several sub components such as anRF/Analog Front End 3362 responsible for receiving the analog radiosignals from the antenna 3302, a WUR Preamble Detection module 3364responsible for detecting and decoding the preamble portion of the wakeup signal, a WUR Packet Decoding/Processing module 3366 responsible fordecoding and processing WUR frames which may involve verification ofsecure WUR frames. The WUR interface 3360 may also store the dedicatedsecret Keys 3370 used for the cryptographic computations forverification of secure WUR PPDUs. The WUR interface 3360 may alsomaintain independent WUR Replay Counters 3372 used to detect replayattacks. At any point in time, only one of the wireless interfaces isexpected to be in operation, either the PCR interface 3350 or the WURinterface 3360.

The Cryptographic circuitry 3380 is used for the cryptographiccomputation to verify secure WUR PPDUs and may also be used forencryption and decryption of protected 802.11 frames during the PCRmode.

A STA as per the present disclosure may comprise many other componentsthat are not illustrated, for sake of clarity, in FIG. 32 or FIG. 33 .Only those components that are most pertinent to the present disclosureare illustrated.

In the foregoing embodiments, the present disclosure is configured withhardware by way of example, but may also be provided by software incooperation with hardware.

In addition, the functional blocks used in the descriptions of theembodiments are typically implemented as LSI devices, which areintegrated circuits. The functional blocks may be formed as individualchips, or a part or all of the functional blocks may be integrated intoa single chip. The term “LSI” is used herein, but the terms “IC,”“system LSI,” “super LSI” or “ultra LSI” may be used as well dependingon the level of integration.

In addition, the circuit integration is not limited to LSI and may beachieved by dedicated circuitry or a general-purpose processor otherthan an LSI. After fabrication of LSI, a field programmable gate array(FPGA), which is programmable, or a reconfigurable processor whichallows reconfiguration of connections and settings of circuit cells inLSI may be used.

Should a circuit integration technology replacing LSI appear as a resultof advancements in semiconductor technology or other technologiesderived from the technology, the functional blocks could be integratedusing such a technology. Another possibility is the application ofbiotechnology and/or the like.

INDUSTRIAL APPLICABILITY

This disclosure can be applied to a wireless apparatus to recover fromthe state mismatch wherein the receiver's state of the active radio isdifferent from the transmitter's record.

REFERENCE SIGNS LIST

-   110, 2200 AP-   120, 130, 140, 3300 WUR STA-   112, 122, 132, 142, 3000, 3150, 3220, 3350 PCR-   124, 134, 144, 3210, 3360 WURx-   3002, 3102, 3202, 3302 Antenna-   3010, 3222, 3362 RF/Analog Front End-   3020, 3160, 3224, 3354 PHY processing circuitry-   3022, 3162, 3228, 3358 OFDM Modulator/Demodulator-   3040, 3164, 3230, 3380 Cryptographic circuitry-   3032, 3158 WUR Payload Generator-   3030, 3152, 3226, 3352 MAC processing circuitry-   3154 PCR Payload Generator-   3156 Packet Scheduler-   3110, 3310 Power Source-   3120, 3320 Memory-   3130, 3330 CPU-   3140, 3340 Secondary Storage-   3150 Wireless I/F-   3170 Wired Communication I/F-   3214, 3364 WUR Preamble Detection-   3216, 3366 WUR Packet Decoding/Processing module-   3370 Secret Keys-   3372 WUR Replay Counter

ABBREVIATIONS

-   AP: Access point-   CRC: Cyclic Redundancy Code-   FCS: Frame Check Sequence-   GMK: Group Master Key-   GTK: Group Temporal Key-   IGTK: Integrity Group Temporal Key-   MAC: Medium access control-   MIC: Message Integrity Code-   OOK: ON-OFF Keying-   OBSS: Overlapping Basic Service Set-   OFDM: Orthogonal Frequency Division Multiplexing-   PCR: Primary connectivity radio-   PHY: Physical layer-   PMK: Pairwise Master Key-   PN: Packet Number-   PPN: Partial Packet Number-   PTK: Pairwise Temporal Key-   PTSF: Partial Timing Synchronization Function (TSF)-   RA: Receiver Address-   RSNA: Robust Security Network Association-   STA: Station-   TA: Transmitter Address-   TSF: Timing Synchronization Function-   TK: Temporal Key-   WUP: Wake-up packet-   WUR: Wake-up radio-   WURx: Wake-up receiver

The various embodiments described above can be combined to providefurther embodiments. All of the U.S. patents, U.S. patent applicationpublications, U.S. patent applications, foreign patents, foreign patentapplications and non-patent publications referred to in thisspecification and/or listed in the Application Data Sheet areincorporated herein by reference, in their entirety. Aspects of theembodiments can be modified, if necessary to employ concepts of thevarious patents, applications and publications to provide yet furtherembodiments.

These and other changes can be made to the embodiments in light of theabove-detailed description. In general, in the following claims, theterms used should not be construed to limit the claims to the specificembodiments disclosed in the specification and the claims, but should beconstrued to include all possible embodiments along with the full scopeof equivalents to which such claims are entitled. Accordingly, theclaims are not limited by the disclosure.

1. A station comprising: a receiver which, in operation, receive, froman Access Point (AP), a Wake-Up Radio (WUR) frame containing MessageIntegrity Code (MIC) that is computed, by the access point, using atemporal key and a part of AP Time Synchronization Function (TSF) timer;and circuitry which, in operation, computes a local MIC using thetemporal key and a station TSF timer, and if the computed local MICmatches the MIC of the WUR frame, the circuitry authenticates the WURframe that wakes up the station.
 2. The station according to claim 1,wherein the MIC is computed using a transmitter address of the AP. 3.The station according to claim 1, wherein the MIC is computed using ahash function.
 4. The station according to claim 1, wherein the temporalkey is a WUR temporal key, and the AP uses the WUR temporal key tocompute the MIC for protecting the WUR frame which is an individuallyaddressed WUR frame.
 5. The station according to claim 1, wherein thetemporal key is a WUR group temporal key, and the AP uses the WUR grouptemporal key to compute the MIC for protecting the WUR frame which is anbroadcast WUR frame or multicast WUR frame addressed to a group ofstations.
 6. The station according to claim 1, wherein the MIC iscontained in a Frame Check Sequence (FCS) field of the WUR frame.
 7. Thestation according to claim 1, wherein the temporal key is indicated by asubfield of the WUR frame.
 8. The station according to claim 1, whereinthe station TSF timer is a part of local TSF timer maintained by thestation.
 9. The station according to claim 1, wherein the WUR framewakes up the station.
 10. A communication method for a station, themethod comprising: receiving, from an Access Point (AP), a Wake-Up Radio(WUR) frame containing Message Integrity Code (MIC) that is computed, bythe access point, using a temporal key and a part of AP TimeSynchronization Function (TSF) timer; computing a local MIC using thetemporal key and a station TSF timer; and if the computed local MICmatches the MIC of the WUR frame, authenticating the WUR frame thatwakes up the station.
 11. An integrated circuit for a station, theintegrated circuit comprising, an input, which, in operation, input asignal, and control circuitry, which is coupled to the at input, andwhich controls: receiving, from an Access Point (AP), a Wake-Up Radio(WUR) frame containing Message Integrity Code (MIC) that is computed, bythe access point, using a temporal key and a part of AP TimeSynchronization Function (TSF) timer; computing a local MIC using thetemporal key and a station TSF timer; and if the computed local MICmatches the MIC of the WUR frame, authenticating the WUR frame thatwakes up the station.